堆栈内存溢出
  简体   繁体   English

Kubernetes Nginx入口控制器中的拒绝用户代理

[英]Deny User Agent in Kubernetes Nginx Ingress Controller

 原文  2017-09-12 18:05:26       nginx/ kubernetes

问题描述

I'm being hit with a vulnerability probe which uses User-Agent: Mozilla/5.0 Jorgee and I want to drop/reject any requests from that user agent. 我受到使用User-Agent: Mozilla/5.0 Jorgee的漏洞探针的User-Agent: Mozilla/5.0 Jorgee ,我想删除/拒绝来自该用户代理的任何请求。

I've been digging around the k8s examples but I can't seem to find a solution. 我一直在研究k8s示例,但似乎找不到解决方案。

Is there any way I can deny requests based on User-Agent with gcr.io/google_contianers/nginx-ingress-controller:0.8.3 ? 有什么方法可以使用gcr.io/google_contianers/nginx-ingress-controller:0.8.3拒绝基于User-Agentgcr.io/google_contianers/nginx-ingress-controller:0.8.3

2 个解决方案

解决方案1
 1  2017-09-13 05:43:14

As best I can tell from the nginx go-template , that is not something the current implementation of their ingress controller offers. nginx go-template最好的看出来,这并不是他们的入口控制器的当前实现提供的。 I believe that in their mental model, one would wish to do that kind of suppression in a per- Service manner, since doing it in the Ingress controller could very easily apply that rule to the whole cluster, leading to surprising outcomes for other published Service s. 我相信,在他们的思维模型中,希望以每Service方式进行这种抑制,因为在Ingress控制器中执行此操作可以很容易地将该规则应用于整个集群,从而为其他已发布的Service带来令人惊讶的结果秒。 I took a look at the haproxy controller's go-template and it seems to be true there, also. 我看了一下haproxy控制器的go-template ,那里似乎也是如此。

At this point, I think you have two options: 在这一点上,我认为您有两种选择:

  1. Use a custom nginx go-template file , which might not be "bad" but one will need to exercise caution when doing upgrades, since your controller will no longer come with a known-correct nginx.tmpl 使用自定义的nginx go-template文件 ,该文件可能不会很“糟糕”,但是在进行升级时,您需要格外小心,因为您的控制器将不再带有已知正确的nginx.tmpl
  2. Try a more advanced haproxy ingress controller , which allows you to specify arbitrary haproxy snippets right in your Ingress resource, which is the best approach I have seen thus far, modulo their backendRule array seems not to be standard 尝试使用更高级的haproxy入口控制器 ,该控制器可让您在Ingress资源中指定任意的haproxy代码段,这是到目前为止我所见过的最好的方法,对它们的backendRule数组取模似乎不是标准的

解决方案2
 1  2017-09-13 08:14:08

you can add custom nginx configuration snippets to Ingresses with annotations, at least for the "normal" nginx controller, not sure if that works with the GCE controller too. 您可以至少在“正常” nginx控制器上向带有注释的Ingress添加自定义nginx配置片段,不确定是否也可以在GCE控制器上使用。 See eg here: https://github.com/kubernetes/ingress/blob/master/examples/customization/configuration-snippets/nginx/ingress.yaml#L8 参见例如此处: https : //github.com/kubernetes/ingress/blob/master/examples/customization/configuration-snippets/nginx/ingress.yaml#L8

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 kubernetes nginx 入口控制器错误 - kubernetes nginx ingress controller error Kibana与Kubernetes中的nginx入口控制器 - Kibana with nginx ingress controller in Kubernetes kubernetes nginx 入口控制器重写 - kubernetes nginx ingress controller rewrites Kubernetes Nginx NodePort 上的入口 Controller - Kubernetes Nginx Ingress Controller on NodePort Ingress资源与Kubernetes上的NGINX入口控制器 - Ingress resource vs NGINX ingress controller on Kubernetes kubernetes nginx ingress controller /缓存静态资产 - kubernetes nginx ingress controller / caching static assets 使用Nginx的kubernetes入口控制器和资源 - kubernetes ingress controller and resource using nginx 具有NGINX入口控制器和SSL终止的AWS上的Kubernetes - Kubernetes on AWS with NGINX ingress controller and SSL termination 使用 Azure 在 Kubernetes 中创建 NGINX 入口控制器 - Create an NGINX ingress controller in Kubernetes, using Azure Kubernetes:Nginx入口控制器无法正常启动 - Kubernetes: Nginx Ingress Controller does not boot properly
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM